On Sun, Jul 6, 2025 at 2:01 PM Marc Coquand <[email protected]> wrote: > > Heya! > > When you install FreeBSD with zfs+encrypted home, the home is seemingly > "encrypted", but that is only if you login as root, run zfs load-keys and > mount the directory. Otherwise, your home directory is an unencrypted > directory living in the zroot/home dataset. Running `zfs list` makes it seem > that the directory is actually mounted, because you see: > > NAME USED AVAIL REFER MOUNTPOINT > zfs/home/me XX XX XX /home/me > > However, running df uncovers that the dataset is actually never mounted! You > need to first load keys and then mount the disk. I think that's confusing for > a new desktop user. I actually thought my home directory was encrypted since > that is what I had setup in the installer! I only discovered this because > there were no snapshot directory in my $HOME, and so I had created snapshots > for an encrypted dataset that was never mounted. > > It feels like an easy mistake to make, and maybe there could be a way to make > it more obvious. > > Sincerely, > Marc > >
Right, it seems that this feature is sort of half-baked. In the desktop lands the way forward, I think, is implementing of org.freedesktop.home1 DBus interface and teaching display managers to invoke it. For the console usage we can modify login(1) to ask for a passphrase and mount the dataset if needed. Maybe this functionality should even be sinked down to a PAM module to deduplicate the common code.
